Security

If you believe you’ve found a security vulnerability affecting danielkhrapko.com, please report it responsibly.

How to report

• Email: daniel@danielkhrapko.com
• You may encrypt your message using my PGP key: https://danielkhrapko.com/pgp-key.txt
• Please include:
  • A clear description of the issue
  • Steps to reproduce / proof of concept
  • Any relevant URLs, screenshots, or logs

Scope (in-scope)

This policy covers vulnerabilities that could impact:

• danielkhrapko.com and subdomains I control
• My deployments, DNS, CDN/WAF configuration, and CI/CD pipelines
• Misconfigurations or integration issues involving third-party services as they apply to my setup (e.g., Cloudflare/DNS issues, GitHub Pages/Actions misconfig, webhook leakage, token exposure)

Out of scope

• Vulnerabilities in third-party providers that are not specific to my account/configuration or do not impact my domain
• Attacks that require targeting third-party infrastructure directly (e.g., attacking Cloudflare/GitHub/etc systems)
• Social engineering, physical attacks, or denial-of-service (DoS) testing

What to expect

• I’ll try to acknowledge your report within 7 days
• If it’s a valid issue, I’ll work on a fix as time allows

Safe harbor

I won’t pursue legal action against you for good-faith security research that:

• uses minimal impact testing
• does not access other people’s data or accounts
• avoids privacy violations and data destruction
• does not publicly disclose the issue before I’ve had a reasonable chance to address it (please allow 14 days for an initial fix or mitigation)

Rewards

This is a personal site and I don’t run a paid bug bounty program (wish I had that type of money), but I appreciate responsible reports! If a report is especially helpful, I may offer a small thank-you at my discretion.